Incorrect visitor IP if website uses CloudFlare

  • arcturus
  • Topic Author
  • Offline
  • New Member
  • New Member
More
3 years 1 month ago - 3 years 1 month ago #7388 by arcturus
Incorrect visitor IP if website uses CloudFlare was created by arcturus
Hello developers,

I noticed that visitors IPs are not returned correctly using
Code:
$_SERVER['REMOTE_ADDR']
if the website uses CloudFlare (this instruction returns the IP of the CloudFlare nearest mirror of the website).
Fortunately, CloudFlare adds two (or three) headers with the original customer IP:
Code:
$_SERVER['HTTP_X_FORWARDED_FOR']
and
Code:
$_SERVER['HTTP_CF_CONNECTING_IP']
(and
Code:
$_SERVER['HTTP_TRUE_CLIENT_IP']
if it's the Enterprise paid plan).
Code:
$_SERVER['REMOTE_ADDR']
is used in about 5 files of SecurityCheck Pro.

A remedy to this would be a conditional fallback on which header can be used, something like
Code:
if (isset($_SERVER['HTTP_TRUE_CLIENT_IP'])) $ip = $_SERVER['HTTP_TRUE_CLIENT_IP']; # CloudFlare specific header for enterprise paid plan, compatible with other vendors elseif (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) $ip = $_SERVER['HTTP_CF_CONNECTING_IP']; # another CloudFlare specific header available in all plans, including the free one elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; # specific header for proxies elseif (isset($_SERVER['REMOTE_ADDR'])) $ip = $_SERVER['REMOTE_ADDR']; # this one would be used, if no header of the above is present
Last edit: 3 years 1 month ago by arcturus. Reason: Some code was removed by the editor.
The following user(s) said Thank You: Jose

Please Log in or Create an account to join the conversation.

More
3 years 1 month ago #7389 by Jose
Replied by Jose on topic Incorrect visitor IP if website uses CloudFlare
Hi arcturus,

Thank you very much for reporting this. There is only a method to determine offensive IP, so I will change it following your suggestion.

And thank you very much again!

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • arcturus
  • Topic Author
  • Offline
  • New Member
  • New Member
More
3 years 1 month ago - 3 years 1 month ago #7390 by arcturus
Replied by arcturus on topic Incorrect visitor IP if website uses CloudFlare
You're welcome.
I was amazed that even if I added some IPs in the blacklist, most of the IPs reported and blacklisted actually belonged to CloudFlare, so the CloudFlare is blacklisted (and whitelisted, not the hackers).
Keep up the good work! :-)
Last edit: 3 years 1 month ago by arcturus.

Please Log in or Create an account to join the conversation.

More
3 years 1 month ago #7391 by Jose
Replied by Jose on topic Incorrect visitor IP if website uses CloudFlare

I was amazed that even if I added some IPs in the blacklist, the IPs reported and blacklisted actually belonged to CloudFlare.

To avoid cases like this I added the "avoid proxies" option into Global Configuration -> Tuning. One of the options returns the x-forwarded (and other) headers to determine the real IP and the other the $_SERVER header, but your suggestion seems to improve my code.

Keep up the good work! :-)

Thank you!!

Please Log in or Create an account to join the conversation.

  • arcturus
  • Topic Author
  • Offline
  • New Member
  • New Member
More
3 years 1 month ago - 3 years 1 month ago #7392 by arcturus
Replied by arcturus on topic Incorrect visitor IP if website uses CloudFlare
I checked that option for a long time (and still, the situation described above occurred).

Later edit: Actually, if I want to whitelist my current IP, the IP that appears in the SecurityCheck Pro component belongs to CloudFlare.

Later edit: I used that option on and off, but the IP to add to whitelist is still CloudFlares (in this case I would have expected that, if that option is set to „No”, SecutiryCheck Pro to use the real visitor's IP taken from the HTTP_X_FORWARDED_FOR proxy header put by CloudFlare). Maybe some extensive tests would be required.
Last edit: 3 years 1 month ago by arcturus.

Please Log in or Create an account to join the conversation.

More
3 years 1 month ago #7393 by Jose
Replied by Jose on topic Incorrect visitor IP if website uses CloudFlare
Yes, I didn't know your explanation about cloudflare's headers. So I will improve my code with yours :)

Regards,
Jose

Please Log in or Create an account to join the conversation.

Time to create page: 0.162 seconds
Copyright © 2023 Securitycheck Extensions. All Rights Reserved.

This site is not affiliated with or endorsed by the Joomla! Project. It is not supported or warranted by the Joomla! Project or Open Source Matters. The Joomla! logo is used under a limited license granted by Open Source Matters, the trademark holder in the United States and other countries.

We may collect your IP address and your browser's User Agent string while using our site for security reasons. This information is retained only until we check you're not trying to hack our website.